Privacy Breach Class Actions in Québec: Key decisions and Recent Developments
Par Jason Stober, avocat
Over the years, class actions related to cyber-security incidents have followed a similar formula. A corporate Defendant (such as Yahoo, Equifax, Nissan Canada, Target, Desjardins, Capital One etc.) suffers a cyber-security incident which may have compromised the personal information of its consumers. The corporation then communicates with its consumers to inform them that the breach occurred. From that moment, Plaintiff-side class action firms rush to file applications for authorization to institute a class action on behalf of those individuals whose personal information may have been compromised in the privacy breach. In Québec, only the first firm to file such an application enjoys carriage of the class action.
To date, privacy breach class actions filed in Québec have met one of two outcomes: dismissal at the authorization stage or settlement post-authorization. At this time, not one privacy breach class action has been adjudicated on the merits in Québec. Accordingly, no reported decisions provide a detailed analysis of a corporation’s conduct during the life-cycle of a privacy breach to determine if they committed a civil fault. Nor has a decision assessed the merits of the damages (moral, pecuniary, or punitive) to which class members could be entitled.
That said, over the years Québec decisions authorizing, or refusing to authorize, privacy breach class actions have provided some noteworthy remarks about what is required to establish an arguable case that the facts alleged in support of the class action justify the conclusions sought.
Overview of the Jurisprudence:
Without providing an exhaustive overview of privacy breach class action decisions in Québec, review of some key decisions can help us discern certain common threads (in addition to unresolved controversies). Authorization decisions addressing privacy breach class actions have generally acknowledged that the Plaintiff had an arguable case that the Defendant committed a civil fault and leave this issue to be decided on the merits. However, the issue of damages (particularly moral and punitive damages) has been fatal to many privacy breach class actions.
The Court of Appeal provided guidance on this issue in Sofio c. Organisme canadien de réglementation du commerce des valeurs mobilières (OCRCVM), 2015 QCCA 1820. In this matter, an employee of IIROC had lost their laptop computer, which could have compromised the personal information of the clients of many Canadian investment brokers. The Plaintiff claimed $1000 in moral damages on behalf of each member but did not claim punitive damages. In upholding the first-instance judge’s decision to dismiss the application, the Court held that the Plaintiff’s allegations in support of the moral damages claim, that he took additional steps to ensure that he did not become a victim of identity theft, were insufficient to establish an arguable case that he suffered compensable moral damages.
Thereafter, in Zuckerman c. Target Corporation, 2017 QCCS 110, the Court authorized a privacy breach class action against Target, concerning the loss of payment card data, for moral and punitive damages. The Court held that the Plaintiff presented an arguable case that he suffered compensable damages, as he had incurred out-of-pocket expenses (nearly $20 in credit monitoring services), and it would be premature to hold otherwise. Target had offered the service to its clients after the breach, though the Plaintiff claimed he was unable to obtain the service from Target. Interestingly, the Court held that it would be premature to dismiss the claim for punitive damages and left the question for the merits holding that the award would be based on an analysis of “the whole of the defendant’s conduct”. In this regard, Target had argued that the Plaintiff did not allege anything that would entitle him to punitive damages, as he did not even reference the Quebec Charter of Human Rights and Freedoms in his application. The Court dismissed this argument and held that it was sufficient for the Plaintiff to mention that Target committed an intentional fault that resulted in a “loss of private information”.
Yahoo & Equifax
The Yahoo matter concerned data breaches between 2013 and 2016 in which sensitive personal account information associated with at least 500 million user accounts around the world may have been compromised. In Yahoo, the Plaintiff’s response to the breach, changing passwords for all her accounts associated with her Yahoo account and the embarrassment she suffered as a result of spam emails sent out to her contacts from that Yahoo account were found to be insufficient to present an arguable case.
The Equifax matter concerned the famous privacy breach between May and July 2017, in which the personal information of up to 19,000 Canadians may have been compromised (in addition to the personal information of nearly 150 million Americans). In Equifax, the Court rejected the Plaintiff’s claims, noting that they essentially concerned future risks and expenses that had not yet been incurred, but that the Plaintiff expected to incur in the future (including general allegations that he was at risk of identity theft, kidnapping, and sexual assault). The Court dismissed these claims, noting that the risk of suffering damages in the future is not compensable in Québec civil law as it is uncertain and hypothetical and is therefore prohibited under article 1611 of the Civil Code of Québec.
In each case, the Court held that the Plaintiff failed to present an arguable case that they suffered compensable moral damages and found that there was no legal basis to award punitive damages under the Québec Charter, which requires proof of an unlawful and intentional breach of a Charter protected right. Moreover, in both cases, the Plaintiffs did not establish an arguable case that they incurred out-of-pocket expenses as a result of the breach (such as purchasing credit-monitoring services), which could amount to compensable pecuniary damages.
In another recent decision, Lévy c. Nissan Canada inc., 2019 QCCS 3957, the Court authorized a class action resulting from a “bitcoin ransom” privacy breach (three officers of Nissan Canada received a threatening email suggesting that the personal information of their consumers would be used for malicious purposes if they refuse to pay a bitcoin ransom).
The Court authorized the class action, finding that the Plaintiff established an arguable case that she had paid approximately $7 for credit-monitoring services as a result of the incident. That said, the Court dismissed the punitive damages claim, finding that there was no evidence that Nissan intentionally wished to expose its clients to a data breach (in the Court’s view, gross negligence would not be sufficient). The Court distinguished the earlier decision of Belley c. TD Auto Finance Services Inc./Services de financement auto TD inc., 2015 QCCS 168 in which a claim for punitive damages had been authorized (in that matter the data breach resulted from the loss of a data tape that was transported by UPS in a package listed as having $5 in declared value). Despite having noted the factual distinction, it is not clear how the Defendant’s conduct in Belley would have amounted to intentional fault (or anything more than gross fault).
Recent Developments and Bill 64
In the not too distant future, we may observe further developments in this area of law. Notably, privacy breach class actions have been filed against Desjardins (claiming over $3 billion), Capital One, MGM Resorts International, StockX (the online clothing and shoe reseller), and Facebook (for the alleged illegal sale of customer data).
Also noteworthy, on June 12, 2020, the Québec Government introduced Bill 64 An Act to modernize legislative provisions as regards the protection of personal information which, among many other things, proposes amendments to Québec’s private-sector privacy legislation to introduce causes of action for statutory damages for breaches of the privacy provisions provided in the Civil Code of Québec (art. 35-40 CCQ) in addition to Québec’s private-sector privacy legislation, and punitive damages of at least $1000 where the breach results from either an intentional or gross fault. If adopted as drafted, these legislative changes would increase the litigation risks resulting from a privacy breach. That said, Bill 64 has been referred to the consultation stage and is slated to enter into force one year after it is adopted. Accordingly, it may be a few years before these proposals enter into force.
 Investment Industry Regulatory Organization of Canada.
 This matter was settled in 2018 for $345,000 in addition to $150,000 in class counsel fees and $150,000 in claims administrator fees.
 Application for leave to appeal pending.
 Act respecting the protection of personal information in the private sector, CQLR c P-39.1.